Debian 12 questions

[superbuu]

Hi, I want to try Debian 12, to quick questions:

-If I select this option, will it encrypt the full drive?

 

Im going to use this option because I don't know how to enter stuff manually:

 

 

This shows up on this tutorial:

 

 

 

 

So what's going on? only sda5_crypt is encrypted? what about the root, swap and boot volumes? I've heard not encrypting them can leak data.

 

-Which iso should I download? I want to use Xfce desktop.

 

-Will this work with an nvidia GPU? I've heard there are other isos, with some non-free firmware stuff, im assuming im going to need that, if I want to boot with an nvidia GPU. Ideally I would want this with as much free stuff as possible, but im not sure which device would boot that has an open source firmware for everything.

 

I don't want to use Mint, POP_Os etc, those are too bloated with stuff I don't need, this one seems nice and basic, I just need to figure out these things. If anyone knows about this please let me know.

 

[LloydLynx]

"Guided - use entire disk and setup encrypted LVM" option will encrypt your whole system except for a small /boot (or /boot/efi) partition.

 

Spoiler

sda5_crypt is the container of your encrypted partitions. Those two "LVM VG" lines up top (ext4 and swap) are what goes inside sda5_crypt.

 

22 minutes ago, superbuu said:

-Which iso should I download? I want to use Xfce desktop.

Click the big download button on debian.org. It will download the netinst ISO which will let you choose which desktop environment to install during the Debian installation. I've had bad luck with the specialty ISOs that include a specific desktop environment. Just use the normal ISO it gives you.

 

26 minutes ago, superbuu said:

-Will this work with an nvidia GPU? I've heard there are other isos, with some non-free firmware stuff, im assuming im going to need that, if I want to boot with an nvidia GPU. Ideally I would want this with as much free stuff as possible, but im not sure which device would boot that has an open source firmware for everything.

In modern times, Debian will enable proprietary firmware in the installer, such as for WiFi, though I don't think it will enable the full proprietary Nvidia driver. You should still be able to get through the Debian installation with the default open source Nvidia driver.

[Eigenvektor]

On 11/22/2023 at 5:22 AM, superbuu said:

So what's going on? only sda5_crypt is encrypted? what about the root, swap and boot volumes? I've heard not encrypting them can leak data.

The last item (SCSI1) is the physical disk. It contains two partitions, one primary partition for "boot" and one logical partition containing an encrypted volume (sda5_crypt).

 

The boot partition can't be encrypted, because your BIOS needs to be able to read it to kick off the actual boot process, which then needs to be able to prompt you for the Encryption Passphrase. The passphrase is required to unlock the actual encryption key, which unlocks the encrypted volume to make your data accessible.

 

The encrypted volume (sda5_crypt) contains the Volume Group (VG) "debian-vg" of the Logical Volume Manager (LVM). This volume group in turn contains two Logical Volumes (LV), one for the root partition (/), containing all of your data, and one for swap.

 

So everything, except for the small boot partition, is encrypted.

 

I want to point out two things:

• Be aware of the possible drawbacks of encryption. If you lose access/forget the passphrase, your data is toast. If the boot partition gets messed up (had that happen to me) your data is toast unless you know your way around the Grub rescue mode. So be sure to keep backups.
• Debian's primary goals are stability and security. That makes it very suitable for servers that need to have high uptime. It's not as suitable for a desktop, because a lot of the software that comes with it will be old. Very old (but well maintained and full of security patches). If you want something more desktop oriented that is based on Debian, use Ubuntu (or Xubuntu for Xfce).

[superbuu]

On 11/22/2023 at 5:27 AM, Eigenvektor said:

The last item (SCSI1) is the physical disk. It contains two partitions, one primary partition for "boot" and one logical partition containing an encrypted volume (sda5_crypt).

 

The boot partition can't be encrypted, because your BIOS needs to be able to read it to kick off the actual boot process, which then needs to be able to prompt you for the Encryption Passphrase. The passphrase is required to unlock the actual encryption key, which unlocks the encrypted volume to make your data accessible.

 

The encrypted volume (sda5_crypt) contains the Volume Group (VG) "debian-vg" of the Logical Volume Manager (LVM). This volume group in turn contains two Logical Volumes (LV), one for the root partition (/), containing all of your data, and one for swap.

 

So everything, except for the small boot partition, is encrypted.

 

I want to point out two things:

• Be aware of the possible drawbacks of encryption. If you lose access/forget the passphrase, your data is toast. If the boot partition gets messed up (had that happen to me) your data is toast unless you know your way around the Grub rescue mode. So be sure to keep backups.
• Debian's primary goals are stability and security. That makes it very suitable for servers that need to have high uptime. It's not as suitable for a desktop, because a lot of the software that comes with it will be old. Very old (but well maintained and full of security patches). If you want something more desktop oriented that is based on Debian, use Ubuntu (or Xubuntu for Xfce).

I see, it's quite confusing. Like, why is it number #5 for sda5_crypt an not just #2? and how would one know that the swap and root partitions are inside the sda5_crypt? it's really clearly indicated.

 

Anyway, I will download the iso and try. I assume the installer is smart enough to set the ideal swap and root partition sizes isn't it? last time I checked it depends on your RAM. I just don't to screw around and not encrypt something in the process or something I will just follow the installer. Thanks for input to both above.

[10leej]

On 11/21/2023 at 11:22 PM, superbuu said:

So what's going on? only sda5_crypt is encrypted? what about the root, swap and boot volumes? I've heard not encrypting them can leak data.

snda5_crypt is an encrypted volume that root, swap will be based in.

Boot will remain unencrypted but there's no user data in there. If your concerned about security in your /boot partition thats literally what secureboot and TPM were designed (or claimed to be designed) to address.

 

Also even if you encrypt your system, as long as it's turned on it's unencrypted.

 

You can see all this

On 11/23/2023 at 9:45 PM, superbuu said:

I assume the installer is smart enough to set the ideal swap and root partition sizes isn't it?

yes it is

 

On 11/23/2023 at 9:45 PM, superbuu said:

last time I checked it depends on your RAM.

Yes and no, swap in that regard only affect hibernation (which is also know as Suspend to Disk) if you dont user hubernation you don't really need as much swap as you have ram since all hibernation does is dump your system RAM into swap to achieve a lower power state suspension than system sleep would (I believe effectively only keeping the firmware active on the motherboard).